FDA’s Dec 2018 Guidance on Data Integrity

Posted on by admin

What is Data Integrity ?

The definition of Data integrity is that a data need to be complete, consistent, and accurate . The concept applies to CGMP and Good Clinical Practice (ICH E6). Data should be “ALCOA” ( Attributable, Legible , Contemporaneous, Original or true copy, Accurate )

Key Concepts of Data Integrity:

  • Metadata :
    • Structured information that describes, explains or otherwise makes it easier to retrieve, use or manage data
    • Audit trails (old/new values, who, when, why)
    • Processing information
    • Methods
  • Audit Trails:
    • a secure, computer-generated, time-stamped electronic record that allows for reconstruction of the course of events relating to the creation, modification, or deletion of an electronic record
    • Following cGMP compliance, you must prevent data from being lost or obscured and ensure that activities are documented at the time of performance
    • Electronic record-keeping systems, which include audit trails, can support these CGMP requirements
  • Static versus dynamic records :
    • Static Data: Indicates a fixed-datarecord (electronic)
      • Print out (hard copy)
    • Dynamic Data: Electronic record that the user can interact with and modify
  • Backup datasets:
    • A true copy of the original record maintained securely throughout the record retention period
    • Must be exact, complete and secure from alteration, inadvertent erasures or loss
    • Should contain the data (and metadata) in the original format or one compatible with it
    • System configuration settings
    • Backup is consistent with the term archive as used in the guidance for Computer System Validation (CSV)
    • Temporary backup copies (in case of a system crash) do not satisfy FDA’s requirement of maintaining a backup file of data
  • System validation
    • Computer or related systems can refer to computer hardware, software, peripheral devices, networks, cloud infrastructure, personnel, and associated documents (e.g., user manuals and standard operating procedures)
    • This includes the backup and recovery process

FDA Guidance on Data Integrity :

FDA issued a new guidance on Data Integrity and Compliance with current Good Manufacturing Practice) cGMP in December 2018. This addresses cGMPs for drugs and biologics, as required in 21 CFR parts 210, 211 and 212. The guidance provides FDA’s current thinking on creating and handling data in accordance with Agency requirements. While not addressed specifically in the new guidance, cGMP violations can also impact or be directly linked to application filing, review, and regulatory actions.

Elements of New Guidance:

  • FDA requires data to be reliable and accurate, and recommends risk-based strategies to manage data integrity issues
  • These strategies should consider design, operation and monitoring of systems and controlsbased on risk to patient/consumer, process and product
  • FDA stresses management involvement is necessary to prevent and correct conditions that can compromise data integrity by creating a culture that encourages identification and reporting of these issues
  • 21 CFR Parts 211 and 212 : Requirements with respect to data integrity include:
    • 211.68 – “backup data are exact and complete,” and “secure from alteration, inadvertent erasures, or loss” and that “output from the computer…be checked for accuracy”
    • 212.110(b) – data be “stored to prevent deterioration or loss”
    • 211.100 and 211.160 – activities be “documented at the time of performance” and that laboratory controls be “scientifically sound”
    • 211.180 – records be retained as “original records,” “true copies,” or other “accurate reproductions of the original records”
    • 211.188, 211.194, and 212.60(g) – “complete information,” “complete data derived from all tests,” “complete record of all data,” and “complete records of all tests performed”
    • 211.22, 211.192 and 211.194(a) – production and control records must be “reviewed” and laboratory records must be “reviewed for accuracy, completeness and compliance with established standards”
    • 211.182, 211.186(a), 211.188(b)(11), and 211.194(a)(8) – records must be “checked,” “verified” or “reviewed”
  • All data created as a cGMP record must be evaluated by Quality against release criteria and maintained
  • Electronic data includes relevant metadata required to reconstruct the activity captured in the record
  • Invalidating test results to exclude them from quality unit decisions about conformance to a specification requires a valid, documented, scientifically sound justification
  • If legitimately invalidated, the full cGMP batch record should include the invalidated data, along with the investigation report that justifies invalidating the result
  • Any cGMP workflow is an intended use of a computer system and must be validated
  • The extent of validation testing must align with the potential risk posed by the automated system, should it fail
  • FDA recommends implementing appropriate controls to manage risks associated with each element of the system
  • FDA recommends appropriate controls to assure only authorized personnel can make changes to records
  • The ability to alter specifications, process parameters, data or manufacturing/test methods should be restricted to technical teams only
  • Authorization to alter files and settings should be assigned to a system administrator who is independent from users responsible for record content
  • A method should be documented for authorization of access and associated privileges for FDA-regulated systems
  • All sets of blank forms that are numbered should be issued and reconciled upon completion of them
  • Incomplete or erroneous forms should be kept as part of the permanent record along with written justification for their replacement
  • Audit trails should be reviewed by the same organization that would review notebooks or other hard copy data records
  • Audit trail review should be at the same frequency as mandated by cGMPs for the records involved
  • Electronic copies can be used as true copies of paper or electronic records, provided they preserve the content and meaning of the original, including all metadata to reconstruct the cGMP activity and the static or dynamic nature of them
  • True copies of dynamic electronic records may be created and maintained in the format of the originals or in a format  that preserves the content and meaning of the original if a suitable reader and copying equipment are readily available
  • Paper printouts (static records) may be retained instead of original electronic records from stand-alone computerized lab instruments
  • A paper printout (static record) may satisfy retention requirements if it is the original record or a true copy, provided it is retained
  • If the electronic records are dynamic, a printout (static record) does not preserve the dynamic record format that is part of the complete original record
  • Electronic data becomes a cGMP record when generated
  • It must be documented, or saved, at the time of activity performance (contemporaneously)
  • FDA expects processes to be designed so that data required to be created and maintained cannot be modified without a record of the modification (such as an audit trail)
  • Chromatographic data should be saved to durable media upon completion of each step or injection, not at the end of an injection set
  • Changes to the chromatographic data or injection sequence should be documented in an audit trail
  • Aborted or incomplete injections should be captured in audit trails and should be investigated and justified
  • It is not acceptable to record data on pieces of paper that will be discarded after the data are transcribed to a permanent laboratory notebook
  • It is not acceptable to store electronic records in a manner that allows for manipulation without creating a permanent record
  • You may employ a combination of technical and procedural controls to meet CGMP documentation practices for electronic systems, such as combining technical checks with a procedure requiring data be keyed in or otherwise entered immediately when generated
  • Electronic signatures with the appropriate controls can be used instead of handwritten signatures or initials in any CGMP required record
  • 21 CFR 11 establishes criteria for when electronic signatures are considered the legally binding equivalent of handwritten signatures
  • Firms using electronic signatures should document the controls used to ensure that they are able to identify the specific person who signed the records electronically
  • FDA prohibits sampling and testing to achieve a specific result or to overcome an unacceptable result (“Testing into Compliance”)
  • It is a violation to use an actual sample in test, prep, or equilibration runs to disguise this
  • If an actual sample is to be used, it should be a properly characterized secondary standard, with written procedures established and followed, and should be from a different batch than the sample(s) being tested
  • It is not acceptable to only save the final results from reprocessed lab chromatography testing
  • Analytical methods should be accurate and precise
  • If chromatography is reprocessed, written procedures must be established and followed and each result retained for review
  • FDA requires complete data in laboratory records, which includes but is not limited to notebooks, worksheets, graphs, charts, spectra, and other types of data
  • An internal tip or information regarding a quality issue, such as data falsification, should not be handled informally outside of the documented cGMP quality system
  • Suspected/known falsification/alteration of records must be fully investigated under the cGMP quality system to:
    • determine the effect of the event on patient safety, product quality, and data reliability
    • determine the root cause
    • ensure the necessary corrective actions are taken

Related Reading :

Data Integrity & 21 CFR Part 11 Compliance Requirements

Best Practices of CSV & 21 CFR Part 11 Compliance